A recent incident of data theft has come to light involving the popular chat platform Discord, where hackers were able to access sensitive information of around 70,000 users. The breach included government-issued ID photos, marking it as one of the more severe security breaches the platform has experienced.
Discord, primarily utilized by gamers for communication, file sharing, and community engagement, clarified that their main systems remained secure. The breach occurred through a third-party service provider assisting with customer support and age verification. This led to the exposure of ID documents like passports and driver’s licenses, names, email addresses, and some support chat logs. While partial credit card information was compromised, Discord assured users that full payment data and account passwords were not compromised.
The breach was first noticed when samples of the stolen data were shared on a Telegram channel earlier this week, raising concerns about the extent of the breach. Discord refuted claims of a larger breach beyond what was disclosed, dismissing them as an extortion scheme orchestrated by the hackers.
In response, Discord stated that they would not reward the perpetrators for their illegal activities. Law enforcement has been involved, and the access of the compromised vendor has been terminated, although the vendor’s identity was not disclosed by Discord.
The incident has reignited discussions on the risks associated with online age verification processes. Critics argue that requiring users to upload government IDs poses new security threats. Maddie Daly from the Electronic Frontier Foundation pointed out that such verification systems essentially act as surveillance tools, potentially putting users’ personal information at risk.
The stolen ID photos and personal data could potentially end up on illicit markets, where they are often used for fraudulent activities and identity theft. Unlike credit card details that can be changed, government-issued IDs remain valid for extended periods, making them lucrative targets for cybercriminals.
Discord has taken steps to notify all affected users and advised them to remain vigilant. The company emphasized that regular chats, communities, and in-app activities were not impacted by the breach, which was confined to data stored with the third-party provider.
This breach adds to a series of incidents involving compromised ID-based verification systems. Recently, another app called Tea faced a similar breach resulting in the exposure of over 70,000 verification photos. Experts suggest that such breaches will persist unless companies reevaluate their age verification protocols or regulatory bodies enforce stricter guidelines on handling sensitive data.